Hello Waldemar -
If you already know the group from the SearchFilter query, you can just use an
AddToReply like this:
###############################################
<AuthBy LDAP2>
Identifier ASA-Admin
Host w3kvm.adtest.corporate.net
HoldServerConnection
AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
AuthPassword XXXXX
BaseDN dc=adtest,dc=corporate,dc=net
ServerChecksPassword
UsernameAttr sAMAccountName
SearchFilter
(&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
AddToReply tacacsgroup = ASAADMINS
Debug 255
</AuthBy>
###############################################
<ServerTACACSPLUS>
regards
Hugh
On 27 Sep 2010, at 18:40, <[email protected]> <[email protected]>
wrote:
> Hello,
>
> I try to implement the mapping of AD groups to TACAS+ groups.
>
> Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string
> delivered:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> My question: it is possible to strip all the unnecessary parts to deliver
> "ASAADMINS" only to tacacsgroup?
>
> I read manual and mailinlist diligently, but was not clever.
>
> Thanks for your help
>
>
>
> Here an extract of my config:
> ###############################################
> <AuthBy LDAP2>
> Identifier ASA-Admin
>
> Host w3kvm.adtest.corporate.net
> HoldServerConnection
>
> AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
> AuthPassword XXXXX
> BaseDN dc=adtest,dc=corporate,dc=net
> ServerChecksPassword
> UsernameAttr sAMAccountName
>
> SearchFilter
> (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
>
> AuthAttrDef memberOf,tacacsgroup,reply
>
> Debug 255
> </AuthBy>
> ###############################################
> <ServerTACACSPLUS>
> GroupMemberAttr tacacsgroup
>
> AuthorizeGroup ASAADMINS permit service=shell cmd=show
> cmd-arg=.*
> AuthorizeGroup group1 deny .*
> .....................
> </ServerTACACSPLUS>
> ###############################################
>
> Here an extract of my Log:
>
>
> Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
> Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: ,|C<229><152><134><142>p? U<154>qSk<191>
> Attributes:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1,
> 0, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0,
> 1234, 79
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump:
> c1020200000004d20000004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
> Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body:
> 0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368656c6c636d643d73686f77636d642d6172673d686f737431
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST
> 6, 0, 2, 0, [email protected], 123, testclient, 3, service=shell cmd=show
> cmd-arg=host1
> Sun Sep 26 19:27:09 2010: INFO: Authorization denied for
> [email protected], group CN=ASAADMINS,DC=adtest,DC=corporate,DC=net. No
> matching AuthorizeGroup rule for args service=shell cmd=show cmd-arg=host1
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE
> 16, denied, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection disconnected from
> 10.11.11.2:1786
>
>
> Kind regards
> Waldemar Siebert
>
> T-Systems International GmbH
> Corporate Customers
> Telecommunications Services & Solutions (TSS)
> Technical Engineering (TSS TE) - Security, Production Engineering & Lab
> Dipl.-Ing. Waldemar Siebert
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
